From bbc71343bdfc724425927ebab404b035c65f569c Mon Sep 17 00:00:00 2001
From: redmatrix <git@macgirvin.com>
Date: Sun, 22 May 2016 22:44:13 -0700
Subject: change the signed token format. We don't folks to be able to submit
 random text for signing by us, as they could then use these to generate known
 signatures.

---
 Zotlabs/Zot/Finger.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'Zotlabs')

diff --git a/Zotlabs/Zot/Finger.php b/Zotlabs/Zot/Finger.php
index 63fdd4a4c..07798fbb1 100644
--- a/Zotlabs/Zot/Finger.php
+++ b/Zotlabs/Zot/Finger.php
@@ -110,7 +110,7 @@ class Finger {
 		if($x) {
 			$signed_token = ((is_array($x) && array_key_exists('signed_token',$x)) ? $x['signed_token'] : null);
 			if($signed_token) {
-				$valid = rsa_verify(self::$token,base64url_decode($signed_token),$x['key']);
+				$valid = rsa_verify('token.' . self::$token,base64url_decode($signed_token),$x['key']);
 				if(! $valid) {
 					logger('invalid signed token: ' . $url . $rhs, LOGGER_NORMAL, LOG_WARN);
 					return $ret;
-- 
cgit v1.2.3